Save Article

Caution: Cyber Risks Ahead for Connected Cars

Save Article

From sensors to computers to communications networks, the technology in automobiles today exposes them to an alarming array of potential cyberattacks.

When most people step into newer cars, they’re far more concerned with avoiding fender benders than with the possibility of a hacker remotely disabling the car’s engine. But as automobiles are loaded with more technology and become increasingly connected through the Internet of Things to other vehicles, owners’ homes, traffic signals, insurance companies, and more, our beloved and trusted cars are becoming just as vulnerable to cyberattacks as our indispensable computers and mobile devices.

Since 2014, cybersecurity researchers have demonstrated multiple ways to remotely manipulate the systems that control braking, acceleration, steering, and other critical functions in various makes and models of cars. Their findings prompted the FBI and the National Highway Traffic Safety Administration (NHTSA) to issue a public service announcement in March 2016 warning consumers and manufacturers of potential cyberthreats.

In addition to the palpable safety concerns, researchers have also highlighted potential privacy invasions: By exploiting weaknesses in wireless communications systems or in devices that connect directly to cars (such as smartphones, insurance dongles, or diagnostic tools), hackers could conceivably gain access to data stored on a vehicle that describes its owner’s driving habits, current location, entertainment preferences, or daily schedule.

These cyber risks should concern more than just consumers and automobile manufacturers. Businesses that offer company cars, operate fleets, or that are considering the deployment of smart or self-driving vehicles are also at risk, especially if they are liable for passenger safety. Such enterprises may include logistics providers, telecom providers, car rental agencies, construction firms, and delivery services (e.g., pizza, flowers). Logistics companies in particular should confirm that the companies that manufacture and maintain their trucks are on top of cyber risks. The last thing a logistics provider needs is to have a cyberattack shut down its fleet for a day, which would not only lead to massive productivity losses and extreme customer dissatisfaction, but also to a significant decline in its return on assets.

Newer connected vehicles represent an emerging target for hackers because these vehicles are essentially rolling ecosystems of unsecured technologies. For example, the sensors that enable safety features such as adaptive cruise control, forward collision warnings, and lane departure warnings are largely manufactured without common security standards. Similar safety and convenience features have already been used in attacks to gain access to critical driving systems. When sensors communicate maintenance and driving data to auto manufacturers, dealerships, and insurance companies, the transmission of data among multiple networks and vendors creates even more risk of exposure and compromise. And as smart cars communicate with smart homes, home networks also become more vulnerable to attack.

Like safety features, the cellular, Wi-Fi, and SMS networks used to facilitate data transmission were not originally designed for secure communication; a 2015 study found that nearly 100 percent of today’s cars include inadequately secured wireless technologies. As a result, wireless and Internet-based communications networks are among the most common entry points for hackers. Security researchers have already demonstrated the ability to infiltrate vehicle systems using SMS texting.

The volume and complexity of the software running in cars today raises many questions about its quality, security, and reliability. As cars become more connected, they become more technologically complex and yield ever new entry points for attackers. According to one widely reported estimate from Frost & Sullivan, some 100 million lines of code power the navigation, infotainment, telematics, diagnostics, anti-theft, wireless communications, and other systems in higher-end automobiles. (In comparison, the space shuttle contains only about 40 million lines of code.) Frost & Sullivan anticipates the number of lines of code in automobiles to grow by 30 percent over the next several years.

Fasten Your Cyber Seat Belts

To address security and privacy issues, auto manufacturers and their expanding partner and supplier ecosystems will need to become more secure, vigilant, and resilient. That will likely entail:

Instituting a cyber-risk governance model that includes a well-staffed vehicle cybersecurity function run by a dedicated leader with appropriate subject matter expertise and board/executive committee oversight.

Securing products by building cybersecurity into product and component design lifecycles from the outset and weaving secure coding practices into software development and deployment.

Creating mature capabilities for monitoring both the threat landscape and the security of automotive systems and components in real time.

Manufacturers and their partners will need to take additional measures to improve cybersecurity in this industry. These steps will likely include cultivating talent, adopting leading practices from other industries, and working with regulators and federal agencies. Currently, the NHTSA meets regularly with auto manufacturers’ and their suppliers’ technical leads to discuss cybersecurity initiatives, processes, risk assessments, and product design plans. The NHTSA also works closely with other federal agencies on automotive cybersecurity—a collaboration that could prove helpful to manufacturers’ cybervigilance efforts.

In the meantime, lawmakers are preparing their own response. In July 2015, Massachusetts Sen. Edward Markey introduced the Security and Privacy in Your Car Act, which aims to develop federal standards for securing cars and protecting drivers’ privacy. The legislation is currently under consideration by the Senate Committee on Commerce, Science, and Transportation. More recently, in March, Sen. Gary Peters of Michigan, a member of the aforementioned committee, proposed establishing a national automotive cybersecurity laboratory near Detroit.

Auto manufacturers’ focus on safety has led them to develop features like rear cameras, collision warning systems, and anti-lock brakes that are popular with buyers today. The irony is that even as those and other systems have made cars safer, they’ve also made them more vulnerable to cyberattacks that could ultimately lead to the crashes manufacturers and drivers are trying to avoid. It’s time for manufacturers to prioritize in-vehicle cybersecurity before cars get any more connected and complicated. After all, if a hacker manages to install a virus on a car’s control network, the word “crash” may cease to be a metaphor.

Caution: Cyber Risks Ahead for Connected Cars

Related Deloitte Insights

As organizations increasingly embrace big data analytics to improve business decision-making, many CIOs are looking to modernize their big data platforms and considering whether moving workloads to the cloud can help them better handle and derive insights from large amounts of structured and unstructured real-time data.

Procurement leaders recognize technologies can drive insights and efficiencies and enhance supply chain visibility, yet most lack teams with sufficient digital skills. Many of these leaders expect reduced impact from a range of technologies in the next two years, according to the results of the 2018 Deloitte Global Chief Procurement Officer Survey.

Daimler Trucks Asia’s traditional approach to data analysis was reactive in detecting and responding to vehicle quality and safety issues. The introduction of improved predictive analysis and connected sensors steered the company toward a proactive, data-driven approach that heads off many customer complaints and has permeated the organization.

Editors Choice

Many insurers use advanced analytics to gain deeper insights into the underwriting and pricing of risks, but traditional methods are often too slow to meet the volume, speed, and unstructured nature of data captured today. Emerging cognitive and robotic technologies can help insurers keep pace with ever-expanding information flow.

After a relatively subdued 2017, M&A deals are expected to increase in 2018, with acquisition of technology assets the No. 1 strategic driver, according to a Deloitte survey. Technology’s importance in the M&A process appears to continue to rise as it moves deal-making out of the spreadsheet era, dramatically changing M&A in the process.

Some training scenarios for retail employees cannot be easily created on the sales floor, so Walmart sought new ways to replicate those experiences. Virtual reality offered the company an unexpected opportunity to coach workers through situations ranging from responding to a floor spill to managing the holiday rush.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more